The user.map
file allows you to use an encryted
version of the file by using the
@script
directive. Here is an
example of how you can decrypt a file and return the results to
user.map
.
Change to a directory outside of the currently installed Tungsten
Do this to ensure that the OpenSSL key and encrypted file are available after upgrades and other operations.
shell> cd /opt/continuent/share
Create an OpenSSL key
In this example we will use a 1024-bit RSA private key to do the encryption and decryption. There are many options for encrypting and decrypting files but this documentation will not explore those. The same process will work with other encryption techniques. You must ensure that the decryption command runs without user input.
shell> openssl genrsa -out usermap.pem 1024
Create the encrypted file of user.map
entries:
tungsten secret nyc_sjc sjc tungsten_sjc secret sjc tungsten_nyc secret nyc
Create an encrypted version of the file:
shell> openssl rsautl -encrypt -inkey usermap.pem -in user.map.entries -out user.map.entries.ssl
Test decryption of the encrypted file:
shell> openssl rsautl -decrypt -inkey usermap.pem -in user.map.entries.ssl
This should return the unencrypted user.map
:
tungsten secret nyc_sjc tungsten_sjc secret sjc tungsten_nyc secret nyc
Update the installed and configured
tungsten-connector/conf/user.map
file:
... # Examples: # user tungstenuser has password secret and uses 'sjc_nyc' composite # data service, but prefers nyc site for reading: # tungstenuser secret sjc_nyc nyc
Now add a @script
directive
to point to the encrypted file and certificate:
@script openssl rsautl -decrypt -inkey /opt/continuent/share/usermap.pem -in /opt/continuent/share/user.map.entries.ssl ...
Repeat the process on each host. The user.map
file will be copied to the new version when you upgrade Tungsten so
this process must only be completed once per host.